The Road Ahead for Full Disk Encryption

Software-based full disk encryption (FDE) technologies have been widely adopted to protect data stored on computing devices, most often laptops or desktops. When a device with software-based FDE is powered off or, in some cases, hibernated, an attacker who gains access to it cannot retrieve user data from its drive because the data is encrypted. Once a user provides valid authentication credentials, the device decrypts the encrypted contents of the drive and grants the user access to the operating system, applications, and data. Software-based FDE has proven effective at mitigating many threats involving the loss or theft of devices.

Unfortunately, software-based FDE is still disruptive today. These technologies have several known weaknesses that are often overlooked. Although organizations may be willing to live with these weaknesses today, we expect that in the coming years, this will no longer be true. In fact, we see software-based FDE as a stopgap solution, inherently suboptimal because it runs within the computer’s operating system. The solution can be much simpler.

The next generation of FDE solutions is hardware-based, and in the long term it is expected to replace software-based FDE. Known as SED – Self-Encrypting Drives – these hardware-based technologies have FDE capabilities built into the drives themselves, either traditional hard disk drives (HDDs) or solid state drives (SSDs). A SED is unlocked when a user provides valid authentication credentials. SEDs are not new; they have been commercially available for several years. SEDs haven’t been widely deployed to date because they are a still-maturing technology. However, the time has come that most organizations should be planning SED deployments to take advantage of their considerable advantages. Experts have already given considerable thought to solving the issues with SEDs, and it is expected that all remaining issues will be solved quickly once larger-scale deployments are underway.

Performance

Software-based FDE adds another layer of software to each device, while SED does not. The additional software is bound to slow down devices, especially when it’s compared to the hardware-based encryption of SED. It’s significantly faster to perform encryption and decryption functions in hardware than software. This, in turn, reduces the delay that users have to tolerate when starting up or shutting down their devices. In terms of both performance and reliability, software-based FDE can also cause problems because of its need to share the device’s resources with operating system and application processes (e.g., disk cache, CPU).

Security

Another consideration involves the security of the solution itself. Software-based FDE performing encryption or decryption operations has to keep referencing a cryptographic key that is being held in the device’s memory. This puts the key at increased risk of compromise from an attacker. Because SED is at the hardware level, it does not put any cryptographic keys into the device’s memory; rather, all keys are kept within the drive hardware itself.

Cost

In the long run, SED is less expensive than software-based FDE. There are some initial costs for both solutions: the purchase and deployment of SED-capable drives versus FDE software. Over time, however, SED solutions will typically incur lower costs than software-based FDE solutions. There are several reasons for this, including the following:

As discussed above, SED’s higher speed will reduce downtime for users. SED also has a much shorter initial encryption time than software-based FDE: minutes instead of hours or even days.

SED is considered to be more usable than software-based FDE because it is less disruptive to users. This should result in lower support costs and higher user satisfaction.

Because SED is hardware-based and it does not add a layer of software to the device, it is generally more reliable than software-based FDE. This means fewer operational problems and a significantly lower risk of data being lost because of an FDE malfunction.

Complexity

SED is a much simpler FDE solution than software-based FDE because it is hardware-based and does not involve the operating system. Software-based FDE requires the operating system to have drivers built into it to do decryption and to support the preboot environment before the operating system loads. The lower complexity of SED generally means fewer operational problems and fewer exploitable security vulnerabilities, not to mention easier troubleshooting when problems do occur.

In addition to the encryption layer in the operating system, software-based FDE injects an encryption layer into the preboot (pre-OS) code as well. Compared to these layers, the single-purpose encryption layer on the SED is clearly simpler to implement, and thus easier to be robust.

SED still has some issues due to its lack of maturity, such as incompatibility between components, but with time the industry’s best minds will solve these issues as SED becomes more popular. These issues should not make us fail to recognize the superiority of SED compared to software-based FDE.

Key Management

Sound key management is critical to the security of an FDE deployment because it ensures that keys are generated, distributed, stored, retrieved, and used in a secure fashion. A fundamental tenet of securing an FDE deployment is to separate encryption functions and key management. If encryption and key management are handled together, it becomes much easier for an attacker to gain simultaneous access to both the encryption key and the data it protects, which can result in immediate compromise.

All SED solutions and some software-based FDE solutions support this separation of encryption and key management. SED provides this support by leveraging a separate software-based key management solution located on the device. There are several benefits to this architecture…and they’ll be discussed in the next blog posting.

Conclusion

Although software-based FDE technologies are adequate to meet today’s FDE needs, in the long run they are expected to be replaced by SED. SED’s hardware-based nature provides several advantages over software-based FDE, including in the areas of performance, security, cost, complexity, and key management. When organizations plan for future needs, they should expect to need to acquire SED-capable drives and complementary key management software for their laptops, desktops, and other devices that would benefit from FDE technologies. What’s more, organizations should demand that their desktop and laptop providers make SEDs available for all their models at no extra cost.

Karen Scarfone is the co-author of this blog. She is a former senior computer scientist for the National Institute of Standards and Technology (NIST), and has over 15 years of experience across a wide variety of security domains.

Or

Leave a Comment

comments

Tagged Under:

Thi is the President and CEO of WinMagic, which he founded in 1997, with a vision to create encryption solutions that are secure, sophisticated yet easy-to-use for enterprises. Today this vision has evolved to Intelligent Management for Everything Encryption. When he is not busy running and growing the company, Thi is sport enthusiastic and thus always competitive. His one concession to constant competitiveness is leading a weekly Integral Taichi CK10 class at work, which provides relaxation and harmony to his hard working WinMagicians. Thi writes from a position of constant leadership and innovation; having two past successful ventures, his knowledge and experience will offer interesting insights within the security industry. Thi Nguyen-Huu

The Site is open to the public. Therefore, consider your comments carefully and do not include anything in a comment that you would like to keep private. By uploading or otherwise making available any information to WinMagic in the form of user generated comments or otherwise, you grant Winmagic the unlimited, perpetual right to distribute, display, publish, reproduce, reuse and copy the information contained therein.

You are responsible for the content you post. You may not impersonate any other person through the blog. You may not post content that is obscene, defamatory, threatening, fraudulent, invasive of another person’s privacy rights, or is otherwise unlawful. You may not post content that infringes the intellectual property rights of any other person or entity. You may not post any content that contains any computer viruses or any other code designed to disrupt, damage, or limit the functioning of any computer software or hardware.

By submitting or posting content on the blog, you grant WinMagic and any company substantially under its control, the right to remove any content or comment that, in WinMagic’s sole judgment, does not comply with the posting guideline, the terms of this website or is otherwise objectionable. You also grant WinMagic and any company substantially under its control the right to modify, adapt, and edit any content.

Your use of this blog is subject to the terms of use of the website on which this blog is hosted blog.winmagic.com. Because WinMagic values your thoughtful opinions, we encourage you to add a comment to this discussion. However, please don’t be offended if we edit your comments for clarity or to keep out questionable matters, and we may even delete off-topic comments. Any opinions expressed within the blog are those of the author and not necessarily held by WinMagic itself. The information on this blog may be changed without notice and is not guaranteed to be complete, correct, timely, current or up-to-date. Similar to any printed materials, the information on this blog may become out-of-date. Winmagic undertakes no obligation to update any information on the blog; provided, however, that WinMagic may update the information on this blog at any time without notice in WinMagic’s sole and absolute discretion.